You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomee.apache.org by cocorossello <co...@gmail.com> on 2014/08/29 12:41:54 UTC

Session passivation and remote user

Hi,

I don't really know if it's a plain tomcat issue or myfaces (or integration
of both).

I have a tomcat session manager that writes sessions to disk after some
seconds (testing purpouse)

  <Manager className='org.apache.catalina.session.PersistentManager'
                saveOnRestart='false'
				processExpiresFrequency='15'
                maxActiveSessions='300'
                minIdleSwap='14'
                maxIdleSwap='14'
                maxIdleBackup='14'>
   <Store className='org.apache.catalina.session.FileStore'/>
   </Manager>

It works fine, I can see sessions going to and from the disk.

12:37:01.739 [ContainerBackgroundProcessor[StandardEngine[Catalina]]] DEBUG
org.apache.catalina.session.PersistentManagerBase - Start expire sessions
PersistentManager at 1409308621739 sessioncount 1
12:37:01.740 [ContainerBackgroundProcessor[StandardEngine[Catalina]]] DEBUG
org.apache.catalina.session.PersistentManagerBase - End expire sessions
PersistentManager processingTime 1 expired sessions: 0


The problem comes with declarative security. Whenever a session is restored
from the disk I can see that request.getRemoteUser is null, so the user has
to login again...

I guess it's a tomcat problem... anybody has had this problem?

Thank you.



--
View this message in context: http://tomee-openejb.979440.n4.nabble.com/Session-passivation-and-remote-user-tp4671464.html
Sent from the TomEE Users mailing list archive at Nabble.com.

Re: Session passivation and remote user

Posted by Romain Manni-Bucau <rm...@gmail.com>.

Hi

you can read: org.apache.catalina.session.StandardSession#doReadObject

"
principal = null;        // Transient only
"

so all user related methods will return null


I think it is for security reasons cause otherwise it would be not
that hard to steal sessions



Romain Manni-Bucau
Twitter: @rmannibucau
Blog: http://rmannibucau.wordpress.com/
LinkedIn: http://fr.linkedin.com/in/rmannibucau
Github: https://github.com/rmannibucau


2014-08-29 17:52 GMT+02:00 cocorossello <co...@gmail.com>:
> I have tried with tracking-mode, but still does not work. After the session
> is serialized tomcat shows login page, giving me no chance to execute a
> webFilter or whatever so I could just perform a request.login() with the
> user and password. SessionListener won't work either as the session is not
> really destroyed, I guess.
>
>
> I'll try the same in a plain tomcat to see what's going on (or just give up
> declarative security...)
>
> Best regards,
> Vicente.
>
>
>
> --
> View this message in context: http://tomee-openejb.979440.n4.nabble.com/Session-passivation-and-remote-user-tp4671464p4671473.html
> Sent from the TomEE Users mailing list archive at Nabble.com.

Re: Session passivation and remote user

Posted by cocorossello <co...@gmail.com>.

I have tried with tracking-mode, but still does not work. After the session
is serialized tomcat shows login page, giving me no chance to execute a
webFilter or whatever so I could just perform a request.login() with the
user and password. SessionListener won't work either as the session is not
really destroyed, I guess.


I'll try the same in a plain tomcat to see what's going on (or just give up
declarative security...)

Best regards,
Vicente.



--
View this message in context: http://tomee-openejb.979440.n4.nabble.com/Session-passivation-and-remote-user-tp4671464p4671473.html
Sent from the TomEE Users mailing list archive at Nabble.com.

Re: Session passivation and remote user

Posted by Andy Gumbrecht <ag...@tomitribe.com>.

Hi cocorossello,

Do you have the following in your web.xml:

<session-config>
      <tracking-mode>COOKIE</tracking-mode>
</session-config>

Andy.

On 29/08/2014 12:41, cocorossello wrote:
> Hi,
>
> I don't really know if it's a plain tomcat issue or myfaces (or integration
> of both).
>
> I have a tomcat session manager that writes sessions to disk after some
> seconds (testing purpouse)
>
>    <Manager className='org.apache.catalina.session.PersistentManager'
>                  saveOnRestart='false'
> 				processExpiresFrequency='15'
>                  maxActiveSessions='300'
>                  minIdleSwap='14'
>                  maxIdleSwap='14'
>                  maxIdleBackup='14'>
>     <Store className='org.apache.catalina.session.FileStore'/>
>     </Manager>
>
> It works fine, I can see sessions going to and from the disk.
>
> 12:37:01.739 [ContainerBackgroundProcessor[StandardEngine[Catalina]]] DEBUG
> org.apache.catalina.session.PersistentManagerBase - Start expire sessions
> PersistentManager at 1409308621739 sessioncount 1
> 12:37:01.740 [ContainerBackgroundProcessor[StandardEngine[Catalina]]] DEBUG
> org.apache.catalina.session.PersistentManagerBase - End expire sessions
> PersistentManager processingTime 1 expired sessions: 0
>
>
> The problem comes with declarative security. Whenever a session is restored
> from the disk I can see that request.getRemoteUser is null, so the user has
> to login again...
>
> I guess it's a tomcat problem... anybody has had this problem?
>
> Thank you.
>
>
>
> --
> View this message in context: http://tomee-openejb.979440.n4.nabble.com/Session-passivation-and-remote-user-tp4671464.html
> Sent from the TomEE Users mailing list archive at Nabble.com.
>
>


-- 
   Andy Gumbrecht
   https://twitter.com/AndyGeeDe
   http://www.tomitribe.com